b'Report No. D-2009-111                    September 25, 2009\n\n\n\n\n     Controls Over Information Contained in BlackBerry\n                 Devices Used Within DoD\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nAIM              Asset Inventory Management\nASD(NII)/DoD CIO Assistant Secretary of Defense (Networks and Information\n                     Integration)/DoD Chief Information Officer\nBES              BlackBerry Enterprise Server\nCIO              Chief Information Officer\nCTO              Communications Tasking Order\nDCMA             Defense Contract Management Agency\nDISA             Defense Information Systems Agency\nDLA              Defense Logistics Agency\nJTF-GNO          Joint Task Force-Global Network Operations\nPDA              Personal Digital Assistant\n\x0c                                 INSPECTOR GENERAL\n                                DEPARTMENT OF DEFENSE\n                                  400 ARMY NAVY DRIVE\n                             ARLINGTON, VIRGINIA 22202- 4704\n\n\n\n\n                                                                        September 25, 2009\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS\n                 AND INFORMATION INTEGRATION/DoD CHIEF\n                 INFORMATION OFFICER\n               ASSISTANT SECRETARY OF THE AIR FORCE (FINANCIAL\n                 MANAGEMENT AND COMPTROLLER)\n\nSUBJECT: Controls Over Information Contained in BlackBerry Devices Used Within\n         DoD (Report No. D-2009-lll)\n\n\nWe are providing this report for your review and comment. We considered management\ncomments on a draft of this report when preparing the final report. The complete text of\nthe comments is in the Management Comments section of the report.\n\nDoD Directive 7650.3 requires that all recommendations be resolved promptly. The\nAssistant Secretary of Defense for Networks and Information IntegrationIDoD Chief\nInformation Officer comments on Recommendations l.a and l.b are not responsive and the\ncomments on Recommendations l.c through l.f are partially responsive. Therefore, we\nrequest revised comments on Recommendations l.a through l.fby October 25,2009. The\nAir Force Chief Information Officer did not provide comments prior to issuance of the final\nreport; therefore, we request comments on Recommendations 2.a through 2.c by\nOctober 25,2009.\n\nIf possible, send a .pdf file containing your comments to audros@dodig.mil. Copies of\nyour comments must have the actual signature of the authorizing official for your\norganization. We are unable to accept the /Signed/ symbol in place of the actual signature.\nIf you arrange to send classified comments electronically, you must send them over the\nSECRET Internet Protocol Router Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at (703)\n604-8905 (DSN 664-8905).\n\n\n                                            /~~~\n                                             Paul 1. ranetto\n                                             Assistant Inspector General\n                                             Readiness, Operations, and Support\n\x0c\x0cReport No. D-2009-111 (Project No. D2008-D000LC-0131.000)                    September 25, 2009\n\n\n               Results in Brief: Controls Over Information\n               Contained in BlackBerry Devices Used\n               Within DoD\n\nWhat We Did                                             What We Recommend\nOur objective was to determine whether the              We recommend that the ASD(NII)/DoD CIO:\nMilitary Services and other Defense agencies have           \xef\x82\xb7 revise the DoD BlackBerry Security\ncontrols in place to prevent unauthorized                      Checklist to require all DoD BlackBerry\ndisclosure of information contained in wireless                device passwords to, at a minimum,\ndevices. Specifically, we reviewed controls to                 comply with DoD Instruction 8500.2 and\nprotect information contained in BlackBerry                    develop a written plan to implement the\ndevices as these are the primary Personal Digital              use of two-factor authentication;\nAssistant (PDA) devices used by the Military                \xef\x82\xb7 ensure that the correct risk levels are\nServices and other Defense agencies. We visited                assigned to all BlackBerry security controls\nvarious Air Force, Defense Contract Management                 and ensure that only high and medium risk\nAgency (DCMA), Defense Information Systems                     levels are designated as \xe2\x80\x9crequired\xe2\x80\x9d and\nAgency, and Defense Logistics Agency locations              \xef\x82\xb7 clarify the specific wireless topics required\nto assess their controls over BlackBerry devices.              in annual information assurance training.\nWe also reviewed DoD criteria governing                 We recommend that the Air Force Chief\nBlackBerry devices.                                     Information Officer (CIO):\n                                                            \xef\x82\xb7 reconcile the PDA password requirements\nWhat We Found                                                  in Air Force Instruction 33-200.\nDoD Components did not always implement                     \xef\x82\xb7 implement controls to ensure PDA\nadequate controls to properly secure information               inventory transactions are recorded in the\non BlackBerry devices. For example,                            official inventory system\n   \xef\x82\xb7 passwords did not always meet the length               \xef\x82\xb7 ensure all security settings are validated\n       and complexity requirements of DoD                      and a written authority to operate is\n       Instruction 8500.2;                                     issued for the BlackBerry Enterprise\n   \xef\x82\xb7 the Assistant Secretary of Defense                        Server that services Andrews and Bolling\n       (Networks and Information                               Air Force Bases.\n       Integration)/DoD Chief Information\n       Officer (ASD[NII]/DoD CIO) allowed               Management Comments and\n       DoD Components to use their discretion in        Our Response\n       not implementing required controls, such\n       as encrypting data stored on BlackBerry          The ASD(NII)/DoD CIO comments were partially\n       devices, properly implementing user              responsive. DCMA provided comments on the\n       agreements, and requiring passwords to           Finding and recommendations. We did not\n       expire and devices to lock out after a           receive comments from the Air Force CIO prior to\n       specified period of time; and                    issuance of the final report. We request that the\n   \xef\x82\xb7 annual information assurance training did          ASD(NII)/DoD CIO provide revised comments on\n       not always include wireless topics in            the final report by October 25, 2009 and that the\n       accordance with DoD Directive 8100.02.           Air Force CIO also provide comments by\n                                                        October 25, 2009. Please see the\n                                                        recommendations table on page ii.\n\n\n\n                                                    i\n\x0cReport No. D-2009-111 (Project No. D2008-D000LC-0131.000)               September 25, 2009\n\nRecommendations Table\n\nManagement                        Recommendations                    No Additional\n                                  Requiring Comment                  Comments Required\nAssistant Secretary of Defense    1.a, 1.b, 1.c, 1.d, 1.e, and 1.f\n(Networks and Information\nIntegration)/DoD Chief\nInformation Officer\nAir Force Chief Information       2.a, 2.b, and 2.c\nOfficer\n\n\nPlease provide comments by October 25, 2009.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nIntroduction                                                                       1\n\n       Objectives                                                                  1\n       Background                                                                  1\n       Review of Internal Controls                                                 3\n\nFinding. DoD BlackBerry Requirements                                               4\n\n       Recommendations, Management Comments, and Our Response                     12\n\nAppendices\n\n       A. Scope and Methodology                                                   18\n              Prior Coverage                                                      19\n       B. Defense Contract Management Agency Comments                             21\n\nManagement Comments\n\nAssistant Secretary of Defense (Networks and Information Integration)/DoD Chief\n     Information Officer                                                          24\nDefense Contract Management Agency                                                27\n\x0c\x0cIntroduction\nObjectives\nThe overall objective of the audit was to determine whether the Military Services and\nother Defense agencies have controls in place to prevent unauthorized disclosure of\ninformation contained in wireless devices. Specifically, we reviewed controls to protect\ninformation contained in BlackBerry devices as these are the primary Personal Digital\nAssistant (PDA) devices used by the Military Services and other Defense agencies. See\nAppendix A for the scope and methodology and prior audit coverage.\n\nBackground\nPDAs are small, portable electronic devices with similar functional use as a personal\ncomputer with the convenience of portability. However, with the convenience of\nportability comes the risk of loss, which could lead to the compromise of DoD\ninformation. Therefore, DoD Components must implement proper security controls to\nprevent unauthorized disclosure.\nA BlackBerry device incorporates features, such as an organizer (address book, calendar,\nand to-do lists) and instant messaging with wireless services, such as e-mail, mobile\ntelephone, and web browsing. The use of BlackBerry devices is prevalent among high-\nlevel officials such as senior management, personnel requiring access to DoD information\ntechnology resources during non duty hours, and personnel who are frequently separated\nfrom the office. Because BlackBerry devices can introduce security vulnerabilities\nexposing Government information systems to compromise, BlackBerry devices must be\nproperly secured.\nThe BlackBerry Enterprise Server (BES) permits a DoD-compliant information system\nSecurity policy to be enforced on all BlackBerry devices. The BES provides a\ncentralized link between BlackBerry devices, BlackBerry applications, and wireless\nnetworks, while integrating devices into an organization\xe2\x80\x99s e-mail system.\n\nCriteria Governing BlackBerry Devices\nDoD Directive 8100.02, \xe2\x80\x9cUse of Commercial Wireless Devices, Services, and\nTechnologies in the Department of Defense (DoD) Global Information Grid (GIG),\xe2\x80\x9d\nApril 14, 2004, provides policy and responsibilities for the security of commercial\nwireless devices used throughout DoD. The Assistant Secretary of Defense (Networks\nand Information Integration)/DoD Chief Information Officer (ASD[NII]/DoD CIO) is\nresponsible for developing DoD wireless policy.\nThe Defense Information Systems Agency (DISA) issued the, \xe2\x80\x9cDoD Wireless Security\nTechnical Implementation Guide, DISA Version 5, Release 2,\xe2\x80\x9d November 15, 2007\n(DoD Wireless Security Technical Implementation Guide), to implement DoD 8100.02.\n\n\n\n\n                                            1\n\x0cDISA also issued the, \xe2\x80\x9cDoD Wireless Security Technical Implementation Guide,\nBlackBerry Security Checklist, Version 5, Release 2.1,\xe2\x80\x9d November 15, 2007, (November\n2007 DoD BlackBerry Security Checklist) to provide minimum baseline BlackBerry\nsecurity guidance for DoD. DISA also updated the November 2007 DoD BlackBerry\nSecurity Checklist and issued the, \xe2\x80\x9cDoD Wireless Security Technical Implementation\nGuide, BlackBerry Security Checklist, Version 5, Release 2.2,\xe2\x80\x9d September 15, 2008\n(September 2008 DoD BlackBerry Security Checklist). The DoD Wireless Security\nTechnical Implementation Guide and BlackBerry Security Checklist outlines the\nresponsibilities of the Designated Approving Authority 1 as well as the following\nstandards related to the protection of information on BlackBerry devices:\n    \xef\x82\xb7   password protection for BlackBerry devices,\n    \xef\x82\xb7   encryption of data stored on BlackBerry devices,\n    \xef\x82\xb7   signed user agreements for BlackBerry devices,\n    \xef\x82\xb7   inventory records of BlackBerry devices, and\n    \xef\x82\xb7   physical security of the BES.\nOn June 5, 2008, the Joint Task Force-Global Network Operations (JTF-GNO)2 issued\nCommunications Tasking Order (CTO) 08-009, \xe2\x80\x9cImplementation Timelines for\nEncryption of Sensitive Unclassified Data-at-Rest (DAR) within the DoD,\xe2\x80\x9d establishing\n\xe2\x80\x9cdata-at-rest\xe2\x80\x9d encryption instructions and milestones for reporting encryption status.\nData-at-rest encryption is the encryption of information stored on hard drives to prevent\nunauthorized access to that information.\n\nBlackBerry Devices Used in DoD\nAs of January 2008, DoD Components reported approximately 63,000 BlackBerry\ndevices used within DoD that have the ability to process sensitive information. The\nAir Force, Defense Contract Management Agency (DCMA), DISA, and Defense\nLogistics Agency (DLA) accounted for over 55 percent (34,961) of the BlackBerry\ndevices reported to DoD. Table 1 shows the number of BlackBerry devices reported by\nAir Force, DCMA, DISA, and DLA.\n\n\n\n\n1\n  The Designated Approving Authority has the authority to assume responsibility for operating an\ninformation system at an acceptable level of risk. Once the Designated Approving Authority deems the\nlevel of risk to be acceptable, they grant the system authority to operate.\n2\n  The Director of DISA is also the commander of JTF-GNO and is responsible for directing the operation\nand defense of the DoD network.\n\n\n                                                   2\n\x0c       Table 1. Devices Reported by Air Force, DCMA, DISA, and DLA in\n                                 January 2008\n            DoD Components                        Number of Devices\n Air Force                                             30,000\n DCMA                                                           3,000\n DISA                                                             793\n DLA                                                            1,168\n Total                                                         34,961\nWe reviewed BlackBerry controls at the Air Force, DCMA, DISA, and DLA.\n\nReview of Internal Controls\nDoD Instruction 5010.40 \xe2\x80\x9cManagers Internal Control (MIC) Program Procedures,\xe2\x80\x9d\nJanuary 4, 2006, requires DoD organizations to implement a comprehensive system of\ninternal controls that provides reasonable assurance that programs are operating as\nintended and to evaluate the effectiveness of the controls. We identified internal control\nweaknesses for the DoD. Specifically, DoD did not always implement adequate controls\nto properly secure information on BlackBerry devices. See the Finding paragraph for\nmore detailed explanation. Implementing Recommendations 1.a.-f. and 2.a.-c. should\ncorrect the internal control weaknesses identified in the report. We will provide a copy of\nthis report to the senior officials responsible for internal controls in the ASD(NII)/DoD\nCIO, the Air Force, DCMA, DISA and DLA.\n\n\n\n\n                                            3\n\x0cFinding. DoD BlackBerry Requirements\nDoD Components did not always implement adequate controls to properly secure\ninformation on BlackBerry devices. Specifically:\n\n    \xef\x82\xb7    passwords did not always meet the length and complexity requirements of DoD\n         Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\n         February 6, 2003;\n    \xef\x82\xb7    ASD(NII)/DoD CIO allowed DoD Components to use their discretion in not\n         implementing required controls, such as encrypting (turning data into an\n         unintelligible form) data stored on BlackBerry devices, properly implementing\n         user agreements, and requiring passwords to expire and devices to lock out after a\n         specified period of time;\n    \xef\x82\xb7    annual information assurance training did not always include wireless topics, nor\n         was it clear what wireless topics should have been included in the annual\n         information assurance training; and\n    \xef\x82\xb7    Air Force official inventory levels did not always reflect individual site inventory\n         levels.\n\nDoD Components did not always implement adequate controls because DoD issued\nconflicting guidance. In addition, Air Force did not always perform adequate oversight\nin regard to BlackBerry inventory levels. As a result, DoD cannot ensure that\ninformation contained in BlackBerry devices is adequately protected against\nunauthorized access.\n\nPassword Requirements\nPasswords did not always meet the length and complexity requirements of DoD\nInstruction 8500.2. Specifically, Instruction 8500.2 states that DoD information systems3\nare accessed through the use of an individual identifier (for example, a user name) and a\npassword. When a user login identifier is used with a password to access a system\nprocessing sensitive information, Instruction 8500.2 requires the password to be at least\neight characters including at least one upper case letter, one lower case letter, one\nnumber, and one special character. Because a BlackBerry device can contain sensitive\ninformation and just a password can provide access to the information in the BlackBerry\ndevice, a BlackBerry device password should, at a minimum, follow the length and\ncomplexity requirements of DoD Instruction 8500.2. The Air Force, DCMA, DISA, and\nDLA sites that we visited did not always implement passwords in accordance with DoD\nrequirements to protect sensitive information. For example, when we began the audit, the\nBESs at Andrews and Bolling Air Force Bases, DCMA, and DLA Headquarters were set\n\n\n3\n  DoD Instruction 8500.2 defines an information system as a set of information resources organized for\ncollection, storage, processing, maintenance, use, dissemination, disposition, display, or transmission of\ninformation.\n\n\n                                                      4\n\x0cto enforce only passwords that were at least five characters,4 as opposed to at least eight\ncharacters as required by DoD Instruction 8500.2. In addition, the BESs at DISA and\nWright-Patterson Air Force Base were set to enforce passwords that were at least six\ncharacters and eight characters, respectively. However, with the exception of Andrews\nand Bolling Air Force Bases, none of the BESs at the sites we visited were set to enforce\npasswords that contained at least one uppercase letter, one lowercase letter, one number,\nand one special character.\n\nDoD BlackBerry password requirements in the September 2008 DoD BlackBerry\nSecurity Checklist conflicted with the password requirements in DoD Instruction 8500.2.\nEven though BlackBerry devices can contain sensitive information, the September 2008\nDoD BlackBerry Security Checklist permits the minimum BlackBerry device password\nto be only five characters, consisting of at least one letter and one number.\n\nThe DoD Wireless Security Technical Implementation Guide states that it creates an\nenvironment that meets DoD security requirements for protecting sensitive information,\nbut its minimum BlackBerry password requirements do not meet DoD security\nrequirements.\n\nAir Force Chief Information Officer Password Guidance\nThe Air Force Chief Information Officer (CIO) issued unclear guidance regarding\npassword requirements for PDAs. Specifically, Air Force Instruction 33-200,\n\xe2\x80\x9cInformation Assurance (IA) Management,\xe2\x80\x9d December 23, 2008, directs PDA users to\nthe following three sets of guidance, each having different password requirements.\n\n    \xef\x82\xb7   DISA Wireless Security Technical Implementation Guide requires PDA\n        passwords to be at least five characters.\n    \xef\x82\xb7   DISA Secure Remote Computing Security Technical Implementation Guide refers\n        to password requirements in DoD Instruction 8500.2, which requires passwords to\n        be at least eight characters with at least one upper case letter, one lower case\n        letter, one number, and one special character for access to information systems\n        processing sensitive information.5\n    \xef\x82\xb7   Air Force Manual 33-223, \xe2\x80\x9cIdentification and Authentication,\xe2\x80\x9d requires Air Force\n        passwords to be at least nine characters with at least two upper case letters, two\n        lower case letters, two numbers, and two special characters.\n\nThe different publications with different password requirements can create confusion\namong Air Force personnel regarding which password requirements they should follow\n\n\n4\n  The BES at Andrews and Bolling Air Force Bases was also set to require passwords for four BlackBerry\ndevices to be at least eight characters.\n5\n  The DISA Secure Remote Computing Security Technical Implementation Guide requires PDA users who\nare not performing system administration functions to secure the PDA by following, to the fullest extent\npossible, the password requirements in DoD Instruction 8500.2.\n\n\n\n                                                   5\n\x0cfor PDAs. This could lead to users not protecting information on PDAs to the extent\nintended by the Air Force CIO. The Air Force CIO should reconcile the various PDA\npassword requirements in Air Force Instruction 33-200 to determine specific password\nrequirements that PDA users must follow and adjust Air Force Instruction 33-200\naccordingly.\n\nAccess Control Within DoD\nASD(NII)/DoD CIO representatives acknowledged that they would prefer to use two-\nfactor authentication, such as a Common Access Card with a Personal Identification\nNumber or a Common Access Card with biometrics, such as a finger print scan to access\nBlackBerry devices. Although the representatives stated they were not aware of any\nviable commercial versions of these technologies for BlackBerry devices, DoD Security\nTechnical Implementation Guide, \xe2\x80\x9cAccess Control in Support of Information Systems,\xe2\x80\x9d\nVersion 2, Release 2, December 26, 2008, requires two-factor authentication to access\ninformation systems processing sensitive information. In addition, DoD Directive\n8521.01E, \xe2\x80\x9cDepartment of Defense Biometrics,\xe2\x80\x9d February 21, 2008, states that the\nASD(NII)/DoD CIO must ensure that biometrics are developed for access control and\neffectively integrated into information assurance efforts. However, the ASD(NII)/DoD\nCIO representatives said they had no written plan with milestones to implement two-\nfactor authentication for accessing information in BlackBerry devices.\n\nBecause BlackBerry devices are mobile computing devices that can contain sensitive\ninformation, ASD(NII)/DoD CIO should revise the DoD BlackBerry Security Checklist\nto, at a minimum, require all DoD BlackBerry devices to have a password at least eight\ncharacters, including one upper case letter, one lower case letter, one number, and one\nspecial character in compliance with DoD Instruction 8500.2. In addition,\nASD(NII)/DoD CIO should develop a written plan to implement the use of two-factor\nauthentication for accessing information on BlackBerry devices.\n\nDiscretion in Implementing Controls\nASD(NII)/DoD CIO allowed DoD Components to use their discretion in not\nimplementing required controls, such as encrypting data stored on BlackBerry devices;\nproperly implementing user agreements; and requiring passwords to expire and devices to\nlock out after a specified period of time. The September 2008 DoD BlackBerry Security\nChecklist designated mandatory controls as \xe2\x80\x9crequired\xe2\x80\x9d and discretionary controls as\n\xe2\x80\x9coptional.\xe2\x80\x9d In addition, the September 2008 DoD BlackBerry Security Checklist also\nassigned a risk level to each control to indicate the risk to BlackBerry security when an\norganization does not implement the control. These risk levels relate to DoD Instruction\n8510.01, \xe2\x80\x9cDoD Information Assurance Certification and Accreditation Process\n(DIACAP),\xe2\x80\x9d November 28, 2007, which permits a Designated Approving Authority to\n\n\n\n\n                                           6\n\x0capprove a system to operate without correcting security weaknesses with low risk. 6\nHowever, a Designated Approving Authority must satisfactorily mitigate a security\nweakness with medium risk and must not approve a system to operate without correcting\nsecurity weaknesses with high risk. The September 2008 DoD BlackBerry Security\nChecklist designated some low risk controls as \xe2\x80\x9crequired,\xe2\x80\x9d which permitted the\nDesignated Approving Authority to approve the system to operate without implementing\nsome \xe2\x80\x9crequired\xe2\x80\x9d controls. For example, Air Force and DCMA did not always implement\n\xe2\x80\x9crequired\xe2\x80\x9d controls that were assigned a low level of risk.\n\nConflicting Guidance\nASD(NII)/DoD CIO officials did not fully reconcile requirements from the September\n2008 DoD BlackBerry Security Checklist to risk levels in DoD Instruction 8510.01.\nAccording to DISA representatives, the intent of the September 2008 DoD BlackBerry\nSecurity Checklist was for DoD Components to implement all \xe2\x80\x9crequired\xe2\x80\x9d security\nsettings; however, according to the September 2008 DoD BlackBerry Security Checklist,\nsome \xe2\x80\x9crequired\xe2\x80\x9d controls were designated as low risk. As a result, the Designated\nApproving Authority could use discretion on whether or not to implement these controls.\nThe ASD(NII)/DoD CIO should ensure that the correct risk levels are assigned to all\nBlackBerry security controls. For example, data-at-rest encryption is assigned a low\nlevel of risk; however, this control can prevent unauthorized access to information, which\nis more consistent with a higher level of risk. In addition, DISA assigned a low level of\nrisk to the user agreement and no longer requires the seven topics; however the\nNovember 2007 BlackBerry Security Checklist assigned a medium level of risk to this\ncontrol and ASD(NII)/DoD CIO representatives said the user agreement control should\nnot be assigned a low level of risk. As a result, as part of the review of risk levels\nassigned to all BlackBerry controls, ASD(NII)/DoD CIO should assign a higher risk level\nto the data-at-rest encryption and user agreement controls and also require that the seven\ntopics be included in user agreements. After ensuring that the correct risk levels have\nbeen assigned to all BlackBerry controls, ASD(NII)/DoD CIO should then ensure that\nonly high and medium risk controls are designated as \xe2\x80\x9crequired\xe2\x80\x9d and ensure that controls\nidentified as low risk are not designated as \xe2\x80\x9crequired.\xe2\x80\x9d Once ASD(NII)/DoD CIO\nresolves these issues within the DoD BlackBerry Security Checklist, DoD Components\nshould review their controls to ensure they have fully met established requirements.\n\nEncryption Requirements\nAir Force and DCMA did not always encrypt data stored on BlackBerry devices.\nSpecifically, Andrews, Bolling, and Wright-Patterson Air Force Bases and DCMA did\nnot encrypt data stored on their BlackBerry devices, which was a \xe2\x80\x9crequired\xe2\x80\x9d control in\nthe November 2007 DoD BlackBerry Security Checklist. The November 2007 DoD\nBlackBerry Security Checklist states that information assurance officers must ensure that\n\n\n6\n DoD Instruction 8510.01 designates risk levels using severity categories of I, II, or III with severity\ncategory I designating the greatest risk level. For this audit report, we use the term high risk to represent\nseverity category I, medium risk to represent severity category II, and low risk to represent severity\ncategory III.\n\n\n                                                       7\n\x0cthey encrypt all data stored on the BlackBerry devices. In addition, the\nJTF-GNO CTO 08-009 states that all DoD Components must meet specific milestones\nfor encrypting the data stored in their BlackBerry devices in accordance with the\nNovember 2007 DoD BlackBerry Security Checklist, which assigned a low level of risk\nto this \xe2\x80\x9crequired\xe2\x80\x9d control.\n\nUser Agreements\nDCMA did not properly educate BlackBerry users on their roles and responsibilities when\nusing the BlackBerry device. Specifically, the November 2007 DoD BlackBerry Security\nChecklist requires that information assurance officials develop a user agreement between the\ncomponent and BlackBerry users. The November 2007 DoD BlackBerry Security Checklist\nstates that officials should have users of BlackBerry devices read and acknowledge that they\nhave accepted their roles and responsibilities regarding safeguarding information on\nBlackBerry devices. The user agreement must include the following seven topics:\n       1. type of access required by the user;\n       2. responsibilities, liabilities, and security measures involved in the use of the\n          BlackBerry device;\n       3. incident handling and reporting procedures along with a designated point of\n          contact;\n       4. responsibility for damage caused to a Government system or data through\n          negligence or a willful act;\n       5. general security requirements and practices;\n       6. for classified devices, user responsibility to adhere to DoD policy in regard to\n          facility clearances, protection, storage, distribution, etc.; and\n       7. Government-owned hardware and software is used for official duties only, where\n          the employee is the only individual authorized to use the device.\nAlthough the November 2007 BlackBerry Security Checklist assigned a medium level of\nrisk to the user agreement requirement, the September 2008 DoD BlackBerry Security\nChecklist assigned a low level of risk to the requirement. In April 2009, DISA revised\nthe DoD BlackBerry Security Checklist to recommend but no longer require the seven\ntopics to be in the user agreement.\n\nPassword Expiration and Device Lock Out Requirements\nAndrews and Bolling Air Force Bases and DCMA did not always configure their BESs to\nrequire BlackBerry device passwords to expire after a specified period of time. In\naddition, Air Force and DCMA did not always configure their BESs to require\n\n\n\n\n                                             8\n\x0cBlackBerry devices to lock out after a specified period of time.7 Specifically, the\nSeptember 2008 DoD BlackBerry Security Checklist requires that BlackBerry users\nchange their passwords every 90 days and requires BlackBerry devices to lock out after\n60 minutes, regardless of activity or inactivity. However, the September 2008 DoD\nBlackBerry Security Checklist assigned a low level of risk to the requirements.\n\nAnnual Information Assurance Training\nAnnual information assurance training did not always include wireless topics, nor was it\nclear what wireless topics should have been included in the annual information assurance\ntraining. DoD Directive 8100.02 directs the heads of DoD Components to ensure the\nDesignated Approving Authority incorporates wireless topics in annual information\nassurance training. However, Andrews, Bolling, and Wright-Patterson Air Force Bases\nand DCMA did not include wireless topics in their annual information assurance training.\nAlthough DISA and DLA annual information assurance training included some wireless\ntopics, we are not certain that the training met the requirements of DoD\nDirective 8100.02 because ASD(NII)/DoD CIO did not clarify the specific wireless\ntopics that should be included in the training.\nAs a result, DoD cannot be certain that wireless users are fully aware of security risks\nassociated with wireless devices such as BlackBerry devices. Therefore, ASD(NII)/DoD\nCIO needs to clarify the specific wireless topics required by DoD Directive 8100.02 and\nestablish controls to help ensure that DoD wireless users receive annual information\nassurance training that includes these required wireless topics.\n\nBlackBerry Devices Inventory\nComponent official inventory levels did not reflect individual site inventory levels.\nSpecifically, the Andrews, Bolling, and Wright-Patterson Air Force Bases official\nBlackBerry inventory levels in the Asset Inventory Management (AIM) System, did not\nreflect the local base inventory levels. Air Force Instruction 33-112, \xe2\x80\x9cInformation\nTechnology Hardware Asset Management,\xe2\x80\x9d April 7, 2006, requires the Information\nTechnology Asset Group to account for BlackBerry devices in the AIM System for their\nofficial property records. According to the AIM system; Andrews, Bolling, and Wright-\nPatterson Air Force Bases had a total of 1,589 BlackBerry devices.\n\n\n\n\n7\n During the audit, Andrews and Bolling Air Force Bases configured their BES to require BlackBerry\ndevices to lock out after a specified period of time. Although Wright Patterson Air Force Base did not\nconfigure their BES to require BlackBerry devices to lock after a specified period of time, they plan to\nimplement this configuration.\n\n\n                                                      9\n\x0cHowever, the Andrews, Bolling, and Wright-Patterson Air Force Bases\xe2\x80\x99 local inventory\nrecords showed that they had a total of 2,861 BlackBerry devices in use. Table 2 shows\nthe difference between inventory records at Andrews, Bolling, and Wright-Patterson Air\nForce Bases.\n\n\n                           Table 2. Air Force BlackBerry Inventories\n                                                      Air Force\nAir Force Base            Air Force AIM        Bases\xe2\x80\x99 Local Inventory\n   Location               System Records              Records                Difference\nAndrews1                                34                         233                199\nBolling1                                   102                      292                 190\nWright                                   1,453                    2,336                 883\nPatterson2\nTotal                                    1,589                    2,861               1,272\n1\n    AIM and local inventory BlackBerry records as of May 2008.\n2\n    AIM and local inventory BlackBerry records as of July 2008.\n\n\nThe official inventory records did not reflect the individual site records because there was\na lack of communication between the Andrews, Bolling, and Wright-Patterson Air Force\nBases staff that maintained and configured their BlackBerry devices and the staff that\nmanaged their information technology assets. Although we reviewed only the inventory\nrecords for Andrews, Bolling, and Wright-Patterson Air Force Bases, this issue could be\nsystemic because the Air Force instruction applies to the entire Air Force.\n\nAs a result of questionable inventory records within the Air Force, we cannot be certain\nthat the Air Force reported an accurate number of BlackBerry devices with encryption as\nrequested by JTF\xe2\x80\x93GNO. In response to the January 2008 DoD data call, the Air Force\nreported 30,000 BlackBerry devices to ASD(NII)/DoD CIO; however, the AIM System\nshowed only 14,566 BlackBerry devices in use by the Air Force as of April 2008.\nAccording to Air Force officials, the Air Force based the 30,000 BlackBerry device count\non sales data from the manufacturer of the BlackBerry device versus the number of\ndevices in their AIM System. Therefore, we cannot be certain that the 30,000 or the\n14,566 is the total amount of BlackBerry devices in use by the Air Force. The Air Force\nshould implement controls to ensure all transactions that affect the inventory of\nBlackBerry devices are recorded in their AIM System, and then use the system to\naccurately respond to official data calls such as the encryption data call from the\nASD(NII)/DoD CIO in 2008.\n\nActions Taken During the Audit\nDuring the audit, Andrews, Bolling, and Wright-Patterson Air Force Bases took steps to\nimplement the BES configurations for encryption. We verified that Andrews and Bolling\nAir Force Bases configured the BES to encrypt data stored on BlackBerry devices.\nHowever, Wright-Patterson elected not to activate the setting that specifies the level of\n\n\n                                                     10\n\x0cencryption on external files systems. Even though the Air Force took steps to encrypt\ndata stored on their BlackBerry devices, the Designated Approving Authority for\nAndrews and Bolling Air Force Bases had not completed testing to validate all security\nsettings and had not yet issued a written authority to operate. Therefore, the Designated\nApproving Authority for Andrews and Bolling Air Force Bases should validate all\nsecurity settings and issue a written authority to operate. DCMA also took steps to\nencrypt data stored on BlackBerry devices by enabling the content protection feature on\ntheir BESs. However, DCMA excluded the address book from content protection.\nAndrews, Bolling, and Wright-Patterson Air Force Bases and DCMA also took steps to\nimplement the BES configurations for password requirements. For example, both\nDCMA and the Air Force configured the passwords to expire in 90 days or less in\naccordance with the DoD BlackBerry Security Checklist.\n\nConclusion\nAs a result of unclear guidance from DoD and inadequate oversight by DoD\nComponents, DoD cannot ensure information contained in BlackBerry devices is\nadequately protected from unauthorized access. The lack of clear guidance created\nconfusion regarding whether DoD Components had to implement mandatory DoD\ncontrols. If DoD Components do not implement these mandatory controls, sensitive\ninformation on BlackBerry devices is more vulnerable to unauthorized disclosure and\nexploitation because of the BlackBerry device\xe2\x80\x99s portability and the requirement of only a\npassword to gain access. Therefore, DoD should ensure that information contained in\nBlackBerry devices is adequately protected against unauthorized access.\n\n\n\n\n                                            11\n\x0cRecommendations, Management Comments, and Our\nResponse\nDefense Contract Management Agency Comments and our\nResponse\nAlthough DCMA was not required to comment, summaries of their management\ncomments and our response are in Appendix B.\n\nComments on the Report\nThe Principal Director, Deputy Assistant Secretary of Defense for Cyber, Information,\nand Identity Assurance (the Principal Director) provided comments on the draft audit\nreport for the DoD ASD(NII)/DoD CIO. Because the Principal Director references his\ncomments to support his comments on Recommendation 1.a, we integrated the comments\nunder Recommendation 1.a.\n\n1. We recommend that the DoD Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer:\n\n       a. Revise the DoD BlackBerry Security Checklist to, at a minimum, require\nall DoD BlackBerry devices to have a password that is at least eight characters,\nincluding one upper case letter, one lower case letter, one number, and one special\ncharacter in compliance with DoD Instruction 8500.2.\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer Comments\nAlthough the Principal Director agreed that there should be a uniform length and\ncomplexity requirement for passwords for BlackBerry devices throughout the DoD, the\nPrincipal Director stated that password guidance for information systems in DoD\nInstruction 8500.2 does not directly apply to BlackBerry devices. Specifically, the\nPrincipal Director said that BlackBerry devices are not a \xe2\x80\x9cfull-fledged\xe2\x80\x9d DoD information\nsystem because BlackBerry devices:\n\n   \xef\x82\xb7   operate on commercial wireless carriers that are not attached to the DoD network,\n   \xef\x82\xb7   store and process only unclassified DoD data,\n   \xef\x82\xb7   provide no direct network connection,\n   \xef\x82\xb7   provide no access to network resources,\n   \xef\x82\xb7   provide no network log-on capability,\n   \xef\x82\xb7   receive wireless communications encrypted at the BES, and\n   \xef\x82\xb7   are not considered physical nodes on the Global Information Grid.\n\nIn addition, the Principal Director stated that when the original Security Technical\nImplementation Guide was published in 2005, no DoD policy specified password length\nand complexity requirements for devices that stored and processed unclassified DoD data\nbut were not directly connected to the Global Information Grid. Instead, BlackBerry\n\n\n                                           12\n\x0cpassword requirements were derived using a 2001 protection profile that specified a\nmaximum probability of guessing a system Personal Identification Number for a given\nPersonal Identification Number length and number of access attempts. The Principal\nDirector stated that these policy positions would be clarified in upcoming revisions to\nDoD Directive 8500.01E and DoD Instruction 8500.2.\n\nOur Response\nThe Principal Director comments are not responsive. A DoD BlackBerry device that\nstores and processes DoD information and receives wireless communications that are\nencrypted at a BES meets the DoD Instruction 8500.2 definition of an information\nsystem.8 In addition, a DoD BlackBerry device can also contain sensitive DoD\ninformation, such as personally identifiable information. As a result, we disagree with\nthe Principal Director\xe2\x80\x99s position that password requirements for information systems in\nDoD Instruction 8500.2 do not directly apply to BlackBerry devices. DoD\nInstruction 8500.2 provides password length and complexity requirements when a user\nlogin identifier is used with a password to access a system processing sensitive\ninformation. Because just a password could provide access to sensitive information in a\nBlackBerry device, a DoD BlackBerry device password should, at a minimum, follow the\nlength and complexity requirements of DoD Instruction 8500.2. Furthermore, the\nPrincipal Director agreed there should be a uniform length and complexity requirement\nfor passwords for BlackBerry devices throughout the DoD. We request that the Principal\nDirector reconsider his position and provide revised comments in response to the final\nreport.\n\n       b. Develop a written plan to implement the use of two-factor authentication\nfor accessing information on BlackBerry devices.\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer Comments\nThe Principal Director partially agreed, stating that while two-factor authentication is\ndesirable for BlackBerry devices, there are currently no suitable second factor products\navailable and none are on the horizon. The Principal Director further stated he would\ndevelop an appropriate course of action when such products become available.\n\nOur Response\nThe comments from the Principal Director are not responsive. We disagree that no action\nshould be taken until a suitable second factor product becomes available. DoD Security\nTechnical Implementation Guide, \xe2\x80\x9cAccess Control in Support of Information Systems,\xe2\x80\x9d\nVersion 2, Release 2, December 26, 2008, requires two-factor authentication to access\ninformation systems processing sensitive information. In addition, DoD\n\n\n8\n  DoD Instruction 8500.2 defines an information system as a set of information resources organized for\ncollection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or\ntransmission of information. DoD requires that a BES be used with BlackBerry devices, which constitutes\na set of information resources.\n\n\n                                                  13\n\x0cDirective 8521.01E, \xe2\x80\x9cDepartment of Defense Biometrics,\xe2\x80\x9d February 21, 2008, states that\nthe ASD(NII)/DoD CIO must ensure that biometrics are developed for access control and\neffectively integrated into information assurance efforts. Although DoD BlackBerry\ndevices can contain sensitive information, the Principal Director comments provide no\ninformation on DoD efforts to ensure that technologies, such as biometrics, are developed\nand effectively integrated to implement two-factor authentication for BlackBerry devices.\nA documented plan with milestones would provide a mechanism for DoD to establish a\ngoal, focus DoD efforts, and measure progress on achieving two-factor authentication to\nprotect sensitive information on DoD BlackBerry devices. We request that the Principal\nDirector reconsider his position and provide revised comments in response to the final\nreport.\n\n       c. Ensure that the correct risk levels are assigned to all BlackBerry security\ncontrols and ensure that only high and medium risk levels are designated as\n\xe2\x80\x9crequired.\xe2\x80\x9d\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer Comments\nThe Principal Director partially agreed, stating that he will coordinate with DISA to\nensure that the correct risk levels are assigned to BlackBerry controls. However, the\nPrincipal Director stated that the fact that a security setting is \xe2\x80\x9crequired\xe2\x80\x9d in a Security\nTechnical Implementation Guide does not automatically mean it should be high or\nmedium risk. The issue is the consequence of not applying the settings relative to impact.\nThe consequences of not applying a setting for a low impact control are obviously less\nthan those for a high impact control. The Principal Director further stated that security\nsettings that are required should be applied unless there are compelling operational\nreasons for not applying the settings. In such a case, the risk should be accepted by the\nDesignated Approving Authority and the rationale explained in a Plan of Action and\nMilestones.\n\nOur Response\nThe Principal Director comments are partially responsive. We agree that the Principal\nDirector should coordinate with DISA to ensure the correct risk levels are assigned to\nBlackBerry controls and that risk levels should be assigned based on the consequence of\nnot applying the control. Although the September 2008 DoD BlackBerry Security\nChecklist indicates that required controls are mandatory, DoD Instruction 8510.01 gives\nthe Designated Approving Authority the option to accept the risk and authorize a system\nto operate without correcting low risk weaknesses. Therefore, low risk controls should\nnot be designated as required in the DoD BlackBerry Security Checklist. We request that\nthe Principal Director reconsider his position and provide revised comments in response\nto the final report. The revised comments should also include an estimated date for\ncompletion of management actions.\n\n\n\n\n                                            14\n\x0cd. Assign a higher risk level to the data-at-rest encryption and user agreement\ncontrols.\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer Comments\nThe Principal Director partially agreed, stating that the DoD Information Assurance\nCertification and Accreditation Process Technical Advisory Group is currently reviewing\nand updating Severity Category definitions. The data-at-rest encryption vulnerability and\nuser agreement vulnerability will be reviewed and categorized appropriately when the\nnew definitions are published.\n\nOur Response\nThe Principal Director comments are partially responsive. We agree that Severity\nCategories should be reviewed and updated; however, DoD should carefully consider the\nrisk level assigned to the data-at-rest encryption and user agreement controls. For\nexample, data-at-rest encryption is assigned a low level of risk in the September 2008\nDoD BlackBerry Security Checklist even though this control could prevent unauthorized\naccess to information, which is more consistent with a higher level of risk. In addition,\nuser agreement is assigned a low level of risk in the September 2008 DoD BlackBerry\nSecurity Checklist; however, the November 2007 BlackBerry Security Checklist assigned\na medium level of risk to the user agreement. Furthermore, ASD(NII)/DoD CIO\nrepresentatives stated that the user agreement control should not be assigned a low level\nof risk. We agree that DoD should not assign a low level of risk to user agreements.\nFurthermore, DoD should also not assign a low level of risk to data-at-rest encryption.\nWe request that the Principal Director provide revised comments on Recommendation\n1.d in response to the final report. The revised comments should include an estimated\ndate for completion of management actions.\n\n       e. Require that the seven topics listed in the April 2009 DoD BlackBerry\nSecurity Checklist be included in user agreements.\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer Comments\nThe Principal Director agreed, stating that this recommendation was implemented by\nDISA in the June 26, 2009, release of the Wireless Security Technical Implementation\nGuide BlackBerry Security Checklist (V5R3) (June 2009 DoD BlackBerry Security\nChecklist).\n\nOur Response\nThe comments from the Principal Director are only partially responsive because the June\n2009 DoD BlackBerry Security Checklist does not clearly require that all seven topics be\nincluded.\n\n\n\n\n                                           15\n\x0cSpecifically, for three of the seven topics, the June 2009 DoD BlackBerry Security\nChecklist states that:\n\n   \xef\x82\xb7   the agreement should contain the type of access required by the user;\n   \xef\x82\xb7   the agreement should contain the responsibilities, liabilities, and security\n       measures; and\n   \xef\x82\xb7   the policy should contain general security requirements and practices.\n\nThe November 2007 DoD Wireless Security Technical Implementation Guide states that\nthe word \xe2\x80\x9cshould\xe2\x80\x9d is a recommendation while the word \xe2\x80\x9cwill\xe2\x80\x9d indicates mandatory\ncompliance. In addition, the November 2007 and September 2008 DoD BlackBerry\nSecurity Checklists use the word \xe2\x80\x9cwill\xe2\x80\x9d for the three topics above. We request that the\nPrincipal Director reconsider his position and provide revised comments in response to\nthe final report. The revised comments should include an estimated date for completion\nof management actions.\n\n        f. Clarify the specific wireless topics required by DoD Directive 8100.02 and\nestablish controls to help ensure users of DoD wireless devices receive annual\ninformation assurance training that includes wireless topics.\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer Comments\nThe Principal Director disagreed, stating that mandating specific training in a DoD policy\nlimits the flexibility of the policy and types of training that can be provided for users and\nadministrators. The Principal Director further stated that using the Security Technical\nImplementation Guides and associated checklists, which are more frequently updated to\nidentify specific wireless training requirements from year-to-year and ensuring those\ntopics are covered, is more beneficial to the security posture than a DoD policy. The\nPrincipal Director also stated that the September 2008 release of the Wireless Security\nTechnical Implementation Guide BlackBerry Security Checklist (V5R2.2) consolidated\nuser training requirements into a single vulnerability.\n\nOur Response\nThe comments from the Principal Director are partially responsive. We agree that the\nSecurity Technical Implementation Guides and associated checklists could be used to\nidentify wireless topics for annual training. However, the September 2008 DoD\nBlackBerry Security Checklist only includes a control to train BlackBerry users on\nspecific topics before the user is issued a BlackBerry device, but the control does not\nrequire that those topics also be used in annual information assurance training. In\naddition, the Principal Director\xe2\x80\x99s comments did not specify what controls would be\nestablished to help ensure that users of wireless devices receive annual information\nassurance training that includes wireless topics. We request that the Principal Director\nreconsider his position and provide revised comments in response to the final report. The\nrevised comments should also include an estimated date for completion of management\nactions.\n\n\n\n                                             16\n\x0c2. We recommend that the Air Force Chief Information Officer:\n      a. Reconcile the various Personal Digital Assistant password requirements in\nAir Force Instruction 33-200 to determine specific password requirements that\nPersonal Digital Assistant users must follow and adjust Air Force Instruction 33-200\naccordingly.\n       b. Implement controls to ensure that all transactions that affect the inventory\nof BlackBerry devices are recorded in their Asset Inventory Management System\nand use the system to accurately respond to official data calls, such as the\nencryption data call from the Assistant Secretary of Defense (Networks and\nInformation Integration) DoD Chief Information Officer in 2008.\n      c. Ensure that all security settings are validated and a written authority to\noperate is issued covering the BlackBerry Enterprise Server that services Andrews\nand Bolling Air Force Bases.\n\n\nManagement Comments Required\nWe did not receive comments from the Air Force CIO prior to issuance of the final report.\nWe request that the ASD(NII)/DoD CIO provide revised comments on the final report by\nOctober 25, 2009 and that the Air Force CIO also provide comments by October 25, 2009.\n\n\n\n\n                                            17\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from February 2008 through July 2009 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our finding and\nconclusion based on our audit objectives.\nAs discussed in the Background, DoD Components reported approximately 63,000\nBlackBerry devices used within DoD that have the ability to process sensitive\ninformation. We focused the audit on the Air Force, DCMA, DISA and DLA because\nthey accounted for over 55 percent (34,961) of the BlackBerry devices reported to DoD.\nWe visited various Air Force, DCMA, DISA and DLA locations to assess their controls\nover BlackBerry devices. Specifically, we assessed:\n   \xef\x82\xb7   inventory records to assess their accuracy;\n   \xef\x82\xb7   system security authorization agreements to determine whether the Designated\n       Approving Authority approved the BlackBerry system for use;\n   \xef\x82\xb7   DoD Component user agreements to determine whether the agreement contained\n       the subjects required by the DoD BlackBerry Security Checklist;\n   \xef\x82\xb7   each DoD Component\xe2\x80\x99s annual information assurance training courses to\n       determine whether it contained wireless topics, as required by DoD Directive\n       8100.02;\n   \xef\x82\xb7   BES policy settings at each DoD Component to determine whether the password\n       settings were in compliance with the DoD BlackBerry Security Checklist and to\n       determine whether each DoD Component had implemented data-at-rest\n       encryption, as required by the JTF-GNO CTO 08-009; and\n   \xef\x82\xb7   the physical security of each DoD Component\xe2\x80\x99s BES to ensure the server was\n       protected from unauthorized access.\nWe reviewed the following primary criteria governing BlackBerry devices:\n   \xef\x82\xb7   DoD Directive 8100.02, \xe2\x80\x9c Use of Commercial Wireless Devices, Services, and\n       Technologies in the DoD Global Information Grid,\xe2\x80\x9d April 14, 2004;\n   \xef\x82\xb7   DoD Wireless Security Technical Implementation Guide, Version 5, Release 2,\n       November 15, 2007;\n   \xef\x82\xb7   DoD Wireless Security Technical Implementation Guide, BlackBerry Security\n       Checklist, Version 5, Release 2.1, November 15, 2007;\n   \xef\x82\xb7   DoD Wireless Security Technical Implementation Guide, BlackBerry Security\n       Checklist, Version 5, Release 2.2, September 15, 2008; and\n   \xef\x82\xb7   Joint Task Force Global Network Operations Communications Tasking Orders.\nWe obtained assistance from the Quantitative Methods and Analysis Division in selecting\na sample of users to review at specific Air Force, DCMA, DISA, and DLA locations.\n\n\n                                           18\n\x0cSpecifically, the Quantitative Methods and Analysis Division selected a stratified sample\nof 971 devices out of a universe of 4,374 BlackBerry devices to determine whether the\nAir Force, DCMA, DISA, and DLA Blackberry devices were configured in accordance\nwith the BES settings for password character length and inventory controls. Due to the\ninability to test the entire sample because of the transient nature of the BlackBerry users\nand identification of clearer ways to present the information we did not use the results\nfrom the sample.\n\nUse of Computer-Processed Data\nWe used computer processed data to determine which DoD Components we would visit\nto test controls over information contained in BlackBerry devices. The DoD Components\nreported to ASD(NII)/DoD CIO that, as of January 2008, DoD used approximately\n63,000 BlackBerry devices that contained sensitive information. We used this universe\nto determine the DoD Components that used the greatest number of BlackBerry devices.\nAfter reviewing Air Force inventory records, we cannot be certain that the Air Force\nreported an accurate number of BlackBerry devices with encryption to ASD(NII)/DoD\nCIO, which affected the overall accuracy of BlackBerry devices reported to\nASD(NII)/DoD CIO. We did not have the resources to review the accuracy of inventory\nrecords reported by all DoD Components that made up the entire database of 63,000\ndevices. Although the total number of BlackBerry devices reported to ASD(NII)/DoD\nCIO may not be accurate, it did not affect the overall results and conclusions made in this\nreport. Specifically, we limited the use of information reported to ASD(NII)/DoD CIO to\nBackground and scope information.\n\nPrior Coverage\nDuring the last five years, the Government Accountability Office (GAO) and the DoD\nInspector General (DoD IG) have issued six reports discussing the security controls over\nwireless devices. Unrestricted GAO reports can be accessed over the Internet at\nhttp://www.gao.gov. Unrestricted DoD IG reports can be accessed at\nhttp://www.dodig.mil/audit/reports.\n\nGAO\nGAO Report No. GAO-08-525, \xe2\x80\x9cFederal Agency Efforts to Encrypt Sensitive\nInformation Are Under Way, but Work Remains,\xe2\x80\x9d June 27, 2008\nGAO Report No. GAO-08-343, \xe2\x80\x9cProtecting Personally Identifiable Information,\xe2\x80\x9d\nJanuary 25, 2008\nGAO Report No. GAO-07-935T, \xe2\x80\x9cAgencies Report Progress, but Sensitive Data Remain\nat Risk,\xe2\x80\x9d June 7, 2007\nGAO Report No. GAO-06-833T, \xe2\x80\x9cPreventing and Responding to Improper Disclosures\nof Personal Information,\xe2\x80\x9d June 8, 2006\nGAO Report No. GAO-05-383, \xe2\x80\x9cFederal Agencies Need to Improve Controls over\nWireless Networks,\xe2\x80\x9d May 17, 2005\n\n\n\n                                            19\n\x0cDoD IG\nDoD IG Report No. D-2006-052, \xe2\x80\x9cDoD Organization Information Assurance\nManagement of Information Technology Goods and Services Acquired Through\nInteragency Agreements,\xe2\x80\x9d February 23, 2006\n\n\n\n\n                                       20\n\x0cAppendix B. Defense Contract Management\nAgency Comments\nThe DCMA Executive Director for Information Technology and CIO (DCMA CIO)\ncommented on the Finding and recommendations. Based on DCMA CIO comments, we\nrevised the finding discussion to state that DCMA excluded the BlackBerry address book\nfrom content protection. For the full text of DCMA CIO comments, see the Management\nComments section of the report.\n\nDCMA Comments on Password Compliance\nDCMA CIO agreed that DCMA did not always meet the password length and complexity\nrequirements of DoD Instruction 8500.2 to protect sensitive information. However, the\nDCMA CIO noted that the DCMA was in compliance with the DoD BlackBerry Security\nChecklist password complexity and length requirements.\n\nOur Response\nDCMA met password length and complexity requirements in accordance with the DoD\nBlackBerry Security Checklist. However, because BlackBerry devices can contain\nsensitive DoD information, we recommend that ASD(NII)/DoD CIO revise the DoD\nBlackBerry Security Checklist to require passwords for BlackBerry devices to be in\naccordance with the DoD Instruction 8500.2 for protecting sensitive information.\n\nDCMA Comments on Implementing Discretionary Controls\nDCMA CIO agreed that the DCMA Designated Approving Authority did not always\nimplement \xe2\x80\x9crequired\xe2\x80\x9d controls that were assigned a low risk. The DCMA CIO noted that\nDCMA used their discretion in not implementing some controls assigned a low level of\nrisk as permitted by DoD Instruction 8510.01.\n\nOur Response\nDoD Instruction 8510.01 allowed DCMA to use their discretion in not implementing\n\xe2\x80\x9crequired\xe2\x80\x9d controls assigned a low level of risk. As a result, we recommend that DoD\nensure that the correct risk levels are assigned to all BlackBerry security controls and\nensure that only high and medium risk levels are designated as \xe2\x80\x9crequired.\xe2\x80\x9d\n\nDCMA Comments on Encryption of Data Stored on BlackBerry\nDevices\nDCMA CIO partially agreed that DCMA did not always encrypt data stored on\nBlackBerry devices. Specifically, the DCMA CIO noted that during the audit, DCMA\nencrypted all data on their BlackBerry devices except the address book. The DCMA CIO\nstated that the control was assigned a low risk, which allowed them to use their discretion\nin not implementing the control.\n\n\n\n\n                                            21\n\x0cOur Response\nThe control to encrypt data stored on BlackBerry devices was assigned a low risk, which\nallowed DCMA personnel to use their discretion in implementing the control. As the\nreport states, DCMA encrypted the data stored on their BlackBerry devices, excluding the\naddress book. Therefore, because encrypting data stored on BlackBerry devices can\nprevent unauthorized access to information, we recommend that DoD assign a higher risk\nlevel to the data-at-rest encryption control.\n\nDCMA Comments on BlackBerry User Agreements\nDCMA CIO partially agreed that DCMA did not properly educate BlackBerry users on\ntheir roles and responsibilities when using the BlackBerry device. Specifically, DCMA\nCIO stated that the DCMA Computer Security Awareness Training (annual information\nassurance training) included the required seven user agreement topics and was substituted\nfor the BlackBerry user agreement. DCMA CIO further stated that the DCMA annual\ninformation assurance training has included the seven user agreement topics since 2004.\n\nOur Response\nIn July 2008, DCMA management was informed that their FY 2008 annual information\nassurance training did not include the seven user agreement topics. DCMA management\nstated that they were not aware of the BlackBerry user agreement requirement.\nSubsequently, DCMA management developed additional annual information assurance\ntraining material, which included six of seven user agreement topics.\n\nDCMA Comments on Password Expiration and Device Lock out\nDCMA CIO agreed that DCMA did not always configure their BES to require\nBlackBerry device passwords to expire and lock out after a specified period of time.\nDCMA CIO noted that the September 2008 DoD BlackBerry Security Checklist assigned\na low level of risk to these requirements. DCMA CIO stated that during the course of the\naudit, DCMA implemented the password lockout requirement.\n\nOur Response\nThe password expiration and device lockout controls were assigned a low risk, which\nallowed DCMA to use their discretion in implementing the control. However, as the\nreport states, DCMA took steps to implement the BES configurations for password\nrequirements.\n\nDCMA Comments on Annual Information Assurance Training\nDCMA CIO disagreed with the statement that the DCMA annual information assurance\ntraining did not always include wireless topics. Specifically, the CIO noted that although\nthe DCMA annual information assurance training did not specifically address BlackBerry\ndevices, the training has always included wireless topics.\n\nOur Response\nIn July 2008, DCMA management was informed that their FY 2008 annual information\nassurance training did not include wireless topics. Subsequently, DCMA management\n\n\n                                           22\n\x0cimplemented additional annual information assurance training material, which included\nwireless topics.\n\nDCMA Comments on Encrypting the BlackBerry Address Book\nDCMA CIO partially agreed with the statement that DCMA permitted its users to not\nencrypt their address book. Specifically, the CIO noted that DCMA did not encrypt the\naddress book.\n\nOur Response\nBased on DCMA CIO comments, we revised the Finding discussion to state, \xe2\x80\x9cDCMA\nexcluded the address book from content protection.\xe2\x80\x9d\n\nDefense Contract Management Agency Comments on\nthe Recommendation\nDCMA CIO agreed with Recommendations 1.a-c and 1.f. DCMA CIO partially agreed\nwith Recommendation 1.d., stating that the user agreement should be assigned a low level\nof risk and periodic training is more effective than one-time user agreements. However,\nthe DCMA CIO did not agree with Recommendation 1.e., stating that the implementation\nof Recommendation 1.f would be sufficient.\n\nOur Response\nUser agreements are particularly important for mobile and remote users because there is a\nhigh risk of lost, theft, or compromise. A signed user agreement helps to ensure that\nusers are made aware of risks and proper procedures for BlackBerry devices. In addition,\nthe November 2007 BlackBerry Security Checklist assigned a higher level of risk to user\nagreements, and ASD(NII)/DoD CIO representatives stated that user agreements should\nnot be assigned a low level of risk.\n\n\n\n\n                                           23\n\x0cAssistant Secretary of Defense (Networks and Information\nIntegration/Chief Information Officer) Comments\n\n                                                           Final Report\n                                                            Reference\n\n\n\n\n                   Click to add JPEG file\n\n\n\n\n                                  24\n\x0cClick to add JPEG file\n\n\n\n\n               25\n\x0cClick to add JPEG file\n\n\n\n\n               26\n\x0cDefense Contract Management Agency Comments\n\n\n\n\n                 Click to add JPEG file\n\n\n\n\n                                27\n\x0c                         Revised page 6\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               28\n\x0cClick to add JPEG file\n\n\n\n\n               29\n\x0cClick to add JPEG file\n\n\n\n\n               30\n\x0c                         Revised page 11\n\n\n\n\nClick to add JPEG file\n\n\n\n\n               31\n\x0cClick to add JPEG file\n\n\n\n\n               32\n\x0c\x0c\x0c'